Re: Newbie question on using SSH and FTP
From: datacide (datacide_at_gmail.com)
Date: 12/31/04
- Previous message: fufimgwb_at_freedvd.com: "Hot 22 Year Old Looking For Love Or More.....Please Contact Me.......... RFM3"
- In reply to: c0ldbyte: "Re: Newbie question on using SSH and FTP"
- Next in thread: Keith Keller: "Re: Newbie question on using SSH and FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 31 Dec 2004 01:45:53 -0800
Hello,
you are of course correct, using FTP in cleartext negates the benefit
of using SSH.
To understand the issue you need to look at various factors
Usability as opposed to security
SSH needs a specific client, which is fine for an administrator, but
cannot be expected of average users.
FTP client functionality is integrated in most explorers and OS's, as
such it is still a valid tool to use. Windows based SFTP/SCP clients on
the other hand are for the msot part not for the non-techy or
commercial (although the putty suite contains one albeit command line
driven, WinSCP is really good)
A Tradeoff between usability and security needs are one of the top
moving factors in I.T
Implementation
Do users with shell access have ftp access and vice versa? Is the ftp
server accessible from the internet or only internally?
Most ftpd daemons allow you to define a list of users with ftp access,
and on UNIX systems you can define users with no login shell.
As such the accounts aquired from sniffing cleartext ftp do not
nescessarily grant access to a system shell. A good example for this
are we hosting accounts, where cusotmers often have ftp access to
upload their webpages but no shell
Historical reasons
Let's face it, alot of people don't even use ssh. in the linux /bsd
world it is standard now, but take a look at things such as Solaris
which in the version 8 still had no SSHD, AIX used Telnet for a long
time (have they got sshd now?),
Cisco devices come with telnet usually enabled as opposed to ssh, as do
Nokia's older IPSO imp,ementations.
These are supposed "security" devices or mainframes, alrge scale
servers.
I have worked with mainframe admins who didn't know about sftp/scp,
some not even about ssh.
The I.T world is not just the Internet Linux community, or security
people in general.
Also, some people seem to misunderstand the security function of
encryption. I have literally heard people say their webserver is secure
as it uses ssl..... ;) go figure
regards
dc
- Previous message: fufimgwb_at_freedvd.com: "Hot 22 Year Old Looking For Love Or More.....Please Contact Me.......... RFM3"
- In reply to: c0ldbyte: "Re: Newbie question on using SSH and FTP"
- Next in thread: Keith Keller: "Re: Newbie question on using SSH and FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
